But as scary as these stories are (and they are that, if you're paying attention), they shouldn't eclipse your concern over a host of more mundane but potentially equally damaging threats to your company's IP. The most common scenario, alas, is that an employee unwittingly shares a trade secret or a confidential idea, or that your business partner forgets about a nondisclosure agreement signed long ago. Social networks make this scenario exponentially more likely. The problem is, most companies have a broad range of information that can be considered intellectual property—though many have not taken the time to properly identify it all—and protecting all of it from myriad threats is a daunting prospect.
A number of CISOs contacted for this article say their corporate intellectual property is adequately protected by the standard data security practices they already have in place. That could be true, but consider: Much of the attention in recent years has focused on protection of transactional data and personally identifiable information (PII), such as customer names and credit card numbers. That's what compliance regimes such as PCI DSS address. Intellectual property is much squishier and may live in different parts of your network—and of your filing cabinets and whiteboards and so on—from PII. And it is sometimes subject to a different set of legal protections.
So read on for expert advice on connecting all the dots and creating a more robust IP protection program.
Taking Stock of Intellectual Property
Unless you have already done this, and recently, the first thing you have to do is identify what your IP consists of and where it resides. This is no easy feat, as IP can be deceptively chameleon-like, taking multiple forms: structured and unstructured, amorphous and concrete, small shreds of things or entire databases, thoughts in someone's head or captured in a document. You need to explain to your employees and business partners in particular what your IP is, because if you don't, you can be sure they will share the information haphazardly and thereby reduce its value (at best) or jeopardize the company (at worst).
"We have gone through a significant effort to understand what we have in-house, what's commercial, where it resides," says Black. "Due to the speed at which we iterate, it's quite an effort."
After you've completed your IP inventory, the next step is to map the data, according to Gary Lynch, global head of strategic consulting for Marsh, a security advisory company.